Spread of Darkness...Details on the public release of the Darkness DDoS bot

The features of "Darkness" described in that post applied to the latest
version 7g of the bot. However, on December 26, 2010, version 6m
was made freely and publicly available from many forums. According to the
instructions for the released v6m, it is quite easy to modify the client
executable to point to a new command and control server. The open
release of this bot, along with the ease of customization is a
development that warrants further analysis and increased awareness. We
have already seen several new "Darkness" Command and Control servers
come online, actively directing DDoS attacks.

Detected "Darkness" Command and Control

The following domains have been detected as running a "Darkness" Command
and Control Server. Several of these were active on the following IPs as of this blog post. I
haven't yet researched if these sites were specifically setup as a C&C,
or if they are compromised servers.

saud4.markaz-royal.net - 193.106.172.77

oneddos.cz.cc - 195.189.226.193

postsamart.in - offline

bezlic2a.net - 193.169.218.173

fletcher9837.ws - 91.200.40.55

site.ru - 194.226.215.67

dieta-doleta.ru - 193.105.240.164

zama4y.ebana.ru.preview.ihc.ru - 91.218.228.15

ololoshka.org - 217.199.218.195

supergjgjgjgjgjgjg.com - 89.187.53.197

tofdhf.ru - offline

193.105.240.59

vkotalke.info - 195.189.226.193

hackera.ru - 195.211.101.72

Modification of Binary

One distinction between v6m and v7g of "Darkness" is that v7g allows for 3
separate C&C URLs to be compiled into the client binary, while v6m only
permits one. During our testing of the public version, it was very easy
to modify the client binary and add a C&C URL of your choice. Version 6m
uses simple Base64 encoding of the URL within the binary. In testing,
we used a hex editor to modify the v6m binary to add in the Base64
representation of a nonexistent domain name (ssb0tt3st.org). Upon
execution, the modified binary properly performed DNS queries for our
dummy domain name.

The image below shows the unpacked v6m binary opened in a hex editor
highlighting the modified URL string. The image also shows a Wireshark
session of the modified binary attempting to resolve the fake
'ssb0tt3st.org'

Note that in v7g, this C&C URL modification is no longer trivial, as the
variable containing the C&C URL is now encrypted.
Version 6 contains fixed values of "darkness", "IpsectPro", and
"dwm.exe" for the bot service registry key, display name, and executable
respectively. Version 7g allows for customization of these items for a
small fee.

User Agents

Each version of "Darkness" will use one of 10 different User Agent (UA)
strings during a DDoS attack. The User Agents are selected randomly upon
either a service restart or system reboot. The following list shows the
10 User Agents built into the binary:

AntiVirus detection of 'Darkness' and its variants is decent with a high
percentage of the AV engines in Virustotal detecting it. Several
binaries associated with 'Darkness' are:

085b71caf44fb70dc0a35c025f70806b

a7g563f69ceebc6984788bdcf6c8a221

bc53fbbfd198c85d18405f6a9ae69980

f03bc8dcc090607f38ffb3a36ccacf48

34d0e0d5485177b0ccdb3cb86fab37a9

be1a936feec2945d29b07c0cd90c6634

0fef6530154f3f4a214aa8930b38cf04

1287ccf6b8eafac100376ca6065c26fb

Observations and details about "Darkness" binary

The author insists on the correct name of the bot "Destination Darkness Outlaw System". However, other names like Optima and Votwup are common. Votwup is a name often used by info-sec researchers. Optima is often used on forums for the sake of simplicity, along with the official name. Optima is derived from the name of the control panel "Optima", which was an 'optimized' version of the original panel. //
The most common callback URL is "hxxp:<C&C_domain>/optima/index.php. There are two versions of the panel, red and blue. The latest C&Cs feature a red "Optima v.3" control panel.

\

The current price for version 7g is $350.

The bot ID selection is random for each installation

Malware features automatic autoupdate

There is no builder in the official versions, all the customizations are done by the author as part of the original purchase or for additional fee upon request.

Our testing proved that dd2=icmp, dd3=tcp/udp, and vot=voting are much less reliable than dd1=http

Publicly released v.6m along with detailed instructions is likely to increase the number of Darkness C&Cs.

The fact that the bot modifications are easily performed on unpacked binaries, will likely attract inexperienced attackers, which could lead to a higher number of unpacked Darkness binaries seen in the wild.

Summary

As described in the Shadowserver blog post of 12/5/10, "Darkness" is quite an effective and efficient DDoS bot. Version 7g is already well advertised and well received in large number of forums.With the free public release of Version 6m, we expect to soon see a wider deployment of "Darkness" Command and Control servers.

As usual, Shadowserver will continue to track all detected 'Darkness' DDoS bots. We will also notify the various global CERT teams, Law Enforcement, as well as the victims themselves.

I want to give special thanks to Mila Parkour of Contagio whose research and analysis assistance was instrumental to this post.